Link to index:clem's Qt/Embedded, Opie, iPAQ and security resources
GnuPG logo Mozilla Thunderbird email client
Mozilla web and email suite

French flag / Drapeau français Note : la même page est disponible en Français, grâce à Christophe Xhrouet : Comment sécuriser vos emails avec GnuPG et Enigmail.

Note: This page is available in Croatian, thanks to Anja Skrba: GnuPG i Enigmail.

Summary

With the GNU Privacy Guard (GnuPG) and a good mail client software like Mozilla (web+email) or Mozilla Thunderbird (just email), you can have really secure email conversations, using excellent and free software. Plain emails have indeed two big problems: they are neither authenticated (you can pretend you are anybody when you send a mail, which is used by spammers and viruses), nor encrypted (anybody on the path your email takes, from you to your correspondent, can read it). With GnuPG-powered email signature and encryption, you can be sure the messages are from the person they claim to be, and be sure only the ones you want will have access to your emails!
Installing GnuPG and Enigmail (plugin which enables Mozilla mail clients to secure mail with GnuPG) is a matter of minutes, let's see how to do it: jump to the Windows™ part if you are using this operating system, or to the GNU/Linux™ and others Unix-like part if you are using a GNU/Linux distribution or another Unix-like OS.

Table of Contents

News about this page

November 28, 2004

A few more updates: fixed links, explained better new Enigmail functions, etc.

November 14, 2004

Updates, and two pieces of good news:

September 20, 2004

Some more updates, e.g. to recommend Mozilla 1.7.3 (the only version without known security bugs at the moment) over other Mozilla versions, or Thunderbird 0.8 (idem), or to update a french link. Speaking of updates, small TODO: tell people they should be able to update Enigmail through their extension manager, now that Thunderbird 0.8 finally seems to have it working :-)

May 18, 2004

More details about how you will be able to test, and learn better, all this stuff, signing or encrypting a test mail for me. How to encrypt for someone is now explained better, since it was not obvious before that you have to import, and sign, this someone's key.

May 12, 2004

Small updates in the download part again, since Thunderbird 0.6 and Enigmail 0.84.0 are out.

April 23, 2004

Enigmail download page updated (now there is only one page for both Mozilla mail and Mozilla Thunderbird mail clients).

April 19, 2004

I realized I was not explicit enough in my "where do we go from here" instructions: many of you sent me signed mail, without realizing I needed your public key to verify it :-) I therefore added a note to this part, to explain why and how to let me (and others) know your public key.

April 05, 2004

New category of external links added, for the moment focused on keyservers, signatures between keys and trust paths between keys (other useful links).

March 26, 2004

This may be the first version of a complete secure email tutorial; let's call it 1.0 then :)
A new paragraph has been inserted at the end of the Enigmail screen-shots driven tutorial, which explains what to do after these first steps into secure email. An important note, "Why and how to publish your key to a keyserver", has been added to the glossary, whose usability has also been improved.

March 22, 2004

I learnt from Enigmail mailing-list that 0.83.2 (or 0.83.3 for MacOSX or FreeBSD, but not 0.83.5) was the right Enigmime version for Thunderbird 0.5 at the moment. One occurrence of this version number was corrected, although you can't make any mistake if you follow the instructions on the download page anyway.

March 14, 2004

Many new explanations in the glossary, especially about public and private keys, keyservers or signing other's keys, plus more details about GnuPG commands.

March 6, 2004

Added a bunch of links, and information about Windows™ and GNU/Linux GnuPG keys management graphical front-ends, and GnuPG CLI.

March 5, 2004

More screenshots, links and information, including basic install info in the GNU/Linux part.

March 4, 2004

Added some screenshots through a gallery.

March 3, 2004

First version of this document (for Windows™, and link to a GNU/Linux more complete documentation).

If you have Microsoft Windows™

Install GnuPG

Install Enigmail

optional: Install WinPT or GPGshell key management front-ends

Note: Enigmail will handle key pair generation, and pretty much every email-related functions you will need, plus now (since Enigmail v0.89.0 it even handles key management tasks like key signing! If you need even more functionalities (like non-email based signature / encryption / signatures verification) I recommend the direct GnuPG interface presented below, though WinPT or GPGshell work OK on Windows™ (and can encrypt, decrypt, sign and verify the clipboard or current window content, which is useful for webmail interfaces like Hotmail or Gmail). Skip to the Enigmail part if you trust me, or keep reading this part if you really think you need it :) .
The WinPT package includes:
GPGshell is another Windows™ GnuPG GUI software which does interfaces with one of the latest GnuPG version, 1.2.5, but unfortunately it is not open-source. You can give it a try though, if you can't or don't want to use GnuPG command line for operations like key signing.

If you have GNU/Linux™ (or another Unix-like OS)

Note for non-GNU/Linux users: there seems to be versions of Enigmail for Solaris, Mac OS X, NetBSD, FreeBSD and OpenBSD (which you can see clicking on Show all operating systems on the Enigmail download page, so I assume it works on those systems at least for some people ;-) Unfortunately I cannot test Enigmail (and Mozilla!) on them myself, so you are welcome to send me any good or bad report about it.
Since the installation method depends on your GNU/Linux distribution, I won't list every way to install the three components we need here (GnuPG, which is probably already installed + Mozilla Seamonkey or Mozilla Thunderbird + Enigmail). But you are already using GNU/Linux, so I assume you will find a way to install those 3 pieces of software :)
If you are using Debian, my favorite Linux distribution, I can already tell you apt-get install mozilla-thunderbird-enigmail will be enough to install GnuPG, Mozilla Thunderbird and its Enigmail plugin :)
Once you have installed Enigmail and Mozilla Seamonkey or Thunderbird, you can continue to follow this guide.

optional: Install a graphical key management front-end

I tend to think it's not necessary especially since Enigmail now handles key signing and management, and also since you who should be used to type instructions in command-line under GNU/Linux ;-) , but it's true there are some nice GUIs out there if you prefer that to the gpg interface:

In both cases: Configure GnuPG and Enigmail through the simple Enigmail graphical interface

Now you have access to GnuPG-powered secure email functions and configuration through the Enigmail menu in your mail client.
Let's put this into practice! (note: the following screenshots have been done with Thunderbird; please tell me if Mozilla GUI differs sensibly on some points)

Let's roll! (or sign and encrypt our first messages)

Now you can sign (with the pen icon or the OpenPGP toolbar button or a keyboard shortcut) or encrypt (with the lock icon or the OpenPGP toolbar button or a keyboard shortcut) your messages through the new icons present in the bottom right corner of your messages! You can see this buttons in the following screenshot:
Enigmail compose window, with signature and encryption highlighted

Click on the image to see it in full-size

Finally, you can look at the following images sequence to view and hopefully see better how signing, encrypting, verifying and decrypting messages happens.
First of seven screenshots demonstrating signature and encryption

Click on the image to see it in full-size

Where do we go from here

You have just learnt pretty much all there is to know to send and receive secure emails through Enigmail! The only thing missing now is building your "web of trust", which can be managed by Enigmail too since it now integrates a key manager. Here are the steps to start to build and use this web of trust:

Short guide to GnuPG binary (= command line interface)

Note: This paragraph is not strictly necessary since Enigmail is now capable of signing keys, importing them from files, and setting your trust on them :-)
First, if you are using Windows™, you won't have access to GnuPG typing just gpg in command line until you put the directory where you install gpg.exe in your PATH environment variable. That is explained in this installation page, if you don't already know how to do this.
Then, to discover GnuPG commands, you have at least two options: gpg --help or the manual page, accessible via man gpg in GNU/Linux or online in Windows™ and GNU/Linux. The first commands you will need is gpg --sign-key nameOrIdOfSomePublicKey if you want to sign any correspondent key (or they won't be certified and will keep appearing as "UNTRUSTED" in Enigmail), or simply gpg --edit-key idOrNameOrPartOfEmail which is a front-end to many commands related to the keys of your 'keyring'. Type help in the gpg --edit-key mode to know the available commands.
Note: if you are using Windows™, you may want to create a text file named gpg.conf in the GnuPG directory (C:\gnupg if you followed this tutorial), containing simply "keyserver x-hkp://random.sks.keyserver.penguin.de". On GNU/Linux, this file may exist in the .gnupg subdirectory of your home, but the keyserver keyword may be followed by other addresses than random.sks.keyserver.penguin.de. I recommend to put keyserver x-hkp://random.sks.keyserver.penguin.de in front of the eventual other lines, since random.sks.keyserver.penguin.de is the best keyserver address I found (more details about the keyserver network this address points to, web interface to this keyserver network). In fact, Enigmail itself uses this alias too, when it needs a keyserver to retrieve (public) keys!

Glossary

Key Pair
A key pair is composed of:
  • Your public key, that you can give to anybody (or even publish on a keyserver, see why): it allows people to authenticate you, and send you encrypted, confidential email or files (of course you can also use that for non-confidential messages, just for practice ;-).
  • Your private key, that you should never give to anyone: it allows you to sign (or authenticate yourself), and to decrypt the confidential, encrypted mail or files people has sent to you (or that you have encrypted for yourself).
Your public key can come with some information about you, like your name, your email, a comment (like “Professional key” or “high-security key, don't use it when you want to reach me when I am travelling”), and even signatures by other people that certify you are you (or at least they think you are :). In fact, this informative text, for example “John Doe (personal key) <john_doe@someinternetprovider.com>”, is called a User ID, and if you have several emails you can attach several user IDs to your key pair.
Why and how to publish your (public) key: As soon as you know secure email is good for you (what you probably know now that you've almost reached the end of my page ;-), you should publish your public key on a keyserver (with the GnuPG command gpg --send-key yourName or exporting you public key to a file and sending it to a keyserver via its web interface); this way it will be easy for people to know they have a way to communicate securely with you, and also it will also be easier for them to sign your key or verify your signature on others' keys.
In case you want to know, for example for back-up purpose, here are the files that contain respectively your private key, and your public key plus your user IDs and eventual picture, in short your public identity: secring.gpg and pubring.gpg.
Public key, private key (more theory)
In short, you need to know the public key is used to verify what has been signed by the private key, and to encrypt messages and files only the private key will be able to decrypt. Of course, you must keep your private key to yourself, but since the associated public key cannot be used to guess your private key, you can publish your public key as much as you want.
You can learn more about the theory behind key pairs, heavily used for authentication or confidentiality, in this article on Public key cryptography.
Keyserver
Most GnuPG or PGP users make their key(s) available (not the private part of course ;-) on a keyserver, which is an easy way to centralize and find keys. Even if many keyservers exist today (some with more features than others), most of them are synchronized for consistency and redundancy. Some addresses correspond to one keyserver, like pgp.mit.edu, others point to many synchronized keyservers, like random.sks.keyserver.penguin.de, and most of them have a web interface like this one simultaneously with a PGP interface (the one you use through Enigmail or command line instructions like gpg --search-keys or gpg --send-keys).
Note: you can have gpg (in command line) use the same keyserver(s) Enigmail uses, adding lines like keyserver x-hkp://random.sks.keyserver.penguin.de in gpg.conf in your GnuPG profile directory. This way, instructions like gpg --send-key your@email will automatically use these recent keyservers.
Signing a key
When you receive emails or files signed by someone or an organization, nothing tells you they were really signed by the person or the organization designated by the name attached to the key (by the way, when we don't specify it, we talk about the public part of one's key pair). You also have to establish a key pair is in control of the person you want to send securely files and messages to, because it would not make sense encrypting a message with a public key if this public key is not really your correspondent's! What you have to do before trusting something is some authenticity checking like:
  • For a person, either:
    • If you know him or her personally, just ask his or her key fingerprint over the phone!
    • You can of course exchange your fingerprints face to face too.
    • Finally, if you don't know them (yet), you can have a first idea of what their true key is if they have a website, and put their key or their fingerprint on it. For example, you will find Philip Zimmermann, PGP original developer, keys and keys fingerprints here.
  • For an organization, you can also check their key on their website (examples: Microsoft Security Notification Service key, US-CERT key, Linux kernel key).
  • And in both cases, you can check the authenticity of a key through your web of trust (more explanations on this page), that is the trust relationships between you and the public key you are interested in. Example: you trust Bob fully to sign keys, and Bob has signed Alice's key with a complete trust value. You will then consider Alice's key has valid! Another example: you trust Bob and Chris, and both have signed Alice's key with a marginal key value; then you can also consider Alice's key is valid.
Once you have checked the authenticity of a key, preferably in real life (for example meeting or giving a phone call to someone you know and noting down his or her fingerprint, or going to a key signing and checking person's identity and PGP fingerprints), you can use Enigmail (see next paragraph) or launch gpg --sign-key userID to concretize your trust in this identity by signing his/her public key. Then the key will become valid for you (and for example there won't be anymore a question mark over the 'signed' symbol in Enigmail), plus you can tell everyone (especially people who trust you) you trust this key by uploading it with your signature back on the keyserver with gpg --send-key userID. When people will receive a key through Enigmail or gpg --search-keys / gpg --recv-key, or when they will get the latest info on the keys they already know through gpg --refresh-keys, they will see your signature on it!
If you prefer graphical user interfaces, you can do all that (signing, exporting, importing) through Enigmail functions. For example, here is the Enigmail manager key signing dialog you can use to sign keys through the key manager window:
Screenshot showing the Enigmail key manager dialog used to sign keys

Click on the image to see it in full-size

Further information

More on the protocols

Other guides

French flag / Drapeau françaisLiens en Français (French speaking links)

Other userful links

Support information


Questions or comments? Contact the author! (Clément Séveillac (personal email) - PGP key / fingerprint)